On Sun, 2006-09-10 at 15:32 -0400, Hector Santos wrote: > ----- Original Message ----- > From: "Douglas Otis" <[EMAIL PROTECTED]> > > > A system is not misconfigured that asserts all messages are > > initially signed and that non-compliant services are also used. In > > this case, one should expect a signature may be damaged or not added > > by such services. Sending a message to virtually any mailing list > > such as this one will cause messages to be lost when following your > > advice. In the case of a mailing list, the change may not be minor, > > but at the same time, it is not nefarious either. > > Why would you want to send a signed message to a mailing list server > that is > a) not DKIM-SSP compliant and > b) known to alter the integrity of the message?
Although it may be practical for a domain to ensure all outbound mail is appropriately signed, it is _not_ practical for a domain to alter the operations of thousands of mailing-list services without outright banning their use. Stating all email-addresses are initially signed means signature failures should be limited a subset of domains known to be operating these non-compliant services. The operation of these services is evidenced by a number of signature failures, where such services can be easily listed. Messages with failures not from one of these sources known to cause signature failure may invoke additional analysis. For the most part, list administrators appear to promptly handle abuse issues. > What good as you expecting from this? This provides a practical means to deal with signature failures in the most restrictive fashion possible without expecting the world to suddenly become DKIM compliant. > All this does is promote the "Cry Wolf" syndrome, harming your own domain > while also putting others at risk of receiving more DKIM junk disguised as > your domain. The only alternative option when dealing with you or Thomas would be to not publish any assertion that all email-addresses are initially signed. Rather than permitting a practical transitional process, perhaps too many share your mindset and wish to force everything into becoming instantly DKIM compliant. That approach is almost certain to backfire and may cause policy not to be published, or cause DKIM not to be deployed. : ( -Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
